CVE-2026-30223
Published: 06 March 2026
Summary
CVE-2026-30223 is a high-severity Improper Authentication (CWE-287) vulnerability in Olivetin Olivetin. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-2 requires robust identification and authentication mechanisms for organizational users that fully validate JWT tokens including the audience claim to prevent acceptance of cross-service tokens.
IA-5 ensures authenticators like JWTs are managed with sufficient strength of mechanism, including proper verification of claims such as audience during token parsing.
AC-3 enforces approved access authorizations only after validated authentication, mitigating unauthorized access to shell commands via flawed JWT audience enforcement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The auth bypass (missing JWT audience enforcement) directly enables remote exploitation of the public-facing OliveTin web app (T1190) to run arbitrary predefined shell commands on the host (T1059.004).
NVD Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during…
more
token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.
Deeper analysisAI
CVE-2026-30223 is a high-severity authentication vulnerability (CVSS 3.1 score of 8.8) affecting OliveTin, an open-source web interface that provides access to predefined shell commands. In versions prior to 3000.11.1, when JWT authentication is configured using either a local RSA public key via "authJwtPubKeyPath" or an HMAC secret via "authJwtHmacSecret", the configured audience value ("authJwtAud") is not enforced during token parsing. This flaw, linked to CWE-287 (Improper Authentication) and CWE-345 (Insufficient Verification of Data Authenticity), allows validly signed JWT tokens with an incorrect audience claim to be accepted, enabling cross-service token misuse.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), potentially achieving high confidentiality, integrity, and availability impacts (C:I:A:H). Specifically, if an attacker obtains a JWT token signed with the same key or secret but intended for a different audience or service, they can authenticate to OliveTin and execute its predefined shell commands, leading to arbitrary command execution on the host system.
The issue has been addressed in OliveTin version 3000.11.1, as detailed in the project's security advisory (GHSA-g962-2j28-3cg9), release notes, and the patching commit. Security practitioners should upgrade to 3000.11.1 or later to enforce audience validation during JWT parsing and mitigate the risk.
Details
- CWE(s)